diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0d45ca5eb..7e9a7ff6a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -63,6 +63,11 @@ jobs:
 
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write # For using token to sign images
+      actions: read # For getting workflow run info to build provenance
+      packages: write # Required for publishing provenance. Issue: https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container#known-issues
     if: ${{ github.ref_type == 'tag' && github.repository_owner == 'Kong' }}
     steps:
       # checkout tag